858e70ca...2c01 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: Trojan, Keylogger

858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01 (SHA256)

858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe

Windows Exe (x86-32)

Created at 2018-08-09 12:05:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x9c4 Analysis Target High (Elevated) 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" -
#2 0x9d8 Child Process High (Elevated) 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" --Admin #1
#3 0x9e4 Child Process High (Elevated) 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" --Service 2520 #2
#4 0x5ac Injection Medium explorer.exe C:\Windows\Explorer.EXE #2
#5 0x540 Injection Medium taskhost.exe "taskhost.exe" #2
#6 0x58c Injection High (Elevated) taskeng.exe taskeng.exe {7737867F-ACDD-43AC-B745-B8B549957EED} S-1-5-21-3785418085-2572485238-895829336-1000:CRH2YWU7\EEBsYm5:Interactive:Highest[1] #2
#7 0x598 Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #2
#8 0x7ac Injection Medium publish eclipse.exe "C:\Program Files\DVD Maker\publish eclipse.exe" #2
#9 0x234 Injection Medium believes.exe "C:\Program Files\Microsoft Office\believes.exe" #2
#10 0x508 Injection Medium draws-gpl-op.exe "C:\Program Files\Microsoft Office\draws-gpl-op.exe" #2
#11 0x45c Injection Medium shemales.exe "C:\Program Files\Mozilla Maintenance Service\shemales.exe" #2
#12 0x140 Injection Medium clan-down.exe "C:\Program Files\Reference Assemblies\clan-down.exe" #2
#13 0x7e0 Injection Medium naples-may.exe "C:\Program Files\Microsoft Visual Studio 8\naples-may.exe" #2
#14 0x610 Injection Medium l_meetup.exe "C:\Program Files\Google\l_meetup.exe" #2
#15 0x318 Injection Medium thou_blah_thanks.exe "C:\Program Files\Microsoft Analysis Services\thou_blah_thanks.exe" #2
#16 0x458 Injection Medium msn arg.exe "C:\Program Files\Microsoft Synchronization Services\msn arg.exe" #2
#17 0x14c Injection Medium schedulespackets.exe "C:\Program Files\MSBuild\schedulespackets.exe" #2
#18 0x520 Injection Medium individuals.exe "C:\Program Files\Reference Assemblies\individuals.exe" #2
#19 0x744 Injection Medium protocols.exe "C:\Program Files\Microsoft Synchronization Services\protocols.exe" #2
#20 0x360 Injection Medium colleges wind bread.exe "C:\Program Files\Microsoft Sync Framework\colleges wind bread.exe" #2
#21 0x308 Injection Medium correction ti.exe "C:\Program Files\Windows Journal\correction ti.exe" #2
#22 0x2dc Injection Medium producing_install.exe "C:\Program Files\Windows Photo Viewer\producing_install.exe" #2
#23 0x7c8 Injection Medium casa directors.exe "C:\Program Files\Windows Media Player\casa directors.exe" #2
#24 0x2ac Injection Medium rhsublime.exe "C:\Program Files\Reference Assemblies\rhsublime.exe" #2
#25 0x588 Injection Medium lions_commands.exe "C:\Program Files\Mozilla Maintenance Service\lions_commands.exe" #2
#26 0x810 Injection Medium resulted spanish.exe "C:\Program Files\MSBuild\resulted spanish.exe" #2
#27 0x830 Injection Medium taste_regulated.exe "C:\Program Files\Windows Photo Viewer\taste_regulated.exe" #2
#28 0x820 Injection Medium bo-optical-jar.exe "C:\Program Files\Windows Mail\bo-optical-jar.exe" #2
#29 0x184 Injection System (Elevated) csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #2
#30 0x980 Injection System (Elevated) dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} #2

Behavior Information - Grouped by Category

Process #1: 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
110 0
»
Information Value
ID #1
File Name c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
Command Line "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:25, Reason: Analysis Target
Unmonitor End Time: 00:00:33, Reason: Self Terminated
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0x9c4
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
0x 9CC
0x 9D0
0x 9D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
oleaccrc.dll 0x000d0000 0x000d0fff Memory Mapped File r False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x002f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00310000 0x00313fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x00320000 0x0033efff Memory Mapped File r True False False -
pagefile_0x0000000000340000 0x00340000 0x00340fff Pagefile Backed Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x00550fff Pagefile Backed Memory r True False False -
private_0x0000000000560000 0x00560000 0x005dffff Private Memory rw True False False -
cversions.2.db 0x005e0000 0x005e3fff Memory Mapped File r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f6fff Pagefile Backed Memory r True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000610000 0x00610000 0x00611fff Pagefile Backed Memory rw True False False -
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory rw True False False -
pagefile_0x0000000000640000 0x00640000 0x0123ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001240000 0x01240000 0x0131efff Pagefile Backed Memory r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x01320000 0x0134ffff Memory Mapped File r True False False -
858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x01360000 0x01748fff Memory Mapped File rwx True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01750000 0x017b5fff Memory Mapped File r True False False -
private_0x00000000018b0000 0x018b0000 0x018effff Private Memory rw True False False -
private_0x0000000001900000 0x01900000 0x019fffff Private Memory rw True False False -
sortdefault.nls 0x01a00000 0x01ccefff Memory Mapped File r False False False -
private_0x0000000001e00000 0x01e00000 0x01efffff Private Memory rw True False False -
pagefile_0x0000000001f00000 0x01f00000 0x022f2fff Pagefile Backed Memory r True False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory rw True False False -
winmm.dll 0x6e9f0000 0x6ea21fff Memory Mapped File rwx False False False -
winspool.drv 0x70200000 0x70250fff Memory Mapped File rwx False False False -
mpr.dll 0x71d30000 0x71d41fff Memory Mapped File rwx False False False -
oledlg.dll 0x71e60000 0x71e7bfff Memory Mapped File rwx False False False -
msimg32.dll 0x71f50000 0x71f54fff Memory Mapped File rwx False False False -
oleacc.dll 0x72360000 0x7239bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x73c00000 0x73c20fff Memory Mapped File rwx False False False -
gdiplus.dll 0x74050000 0x741dffff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
propsys.dll 0x74220000 0x74314fff Memory Mapped File rwx False False False -
comctl32.dll 0x74360000 0x744fdfff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
wldap32.dll 0x75730000 0x75774fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
wininet.dll 0x76650000 0x76744fff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
urlmon.dll 0x76e70000 0x76fa5fff Memory Mapped File rwx False False False -
iertutil.dll 0x76fb0000 0x771aafff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Host Behavior
File (13)
»
Operation Filename Additional Information Success Count Logfile
Create C:\windows\123.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 3
Fn
Create C:\windows\12322.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\windows\12344.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\windows\12355.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\windows\12366.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\windows\12377.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\windows\12388.txtt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (9)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 - False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoRun, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoDrives, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = RestrictRun, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoNetConnectDisconnect, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoRecentDocsHistory, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoClose, data = 0, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe show_window = SW_SHOW True 1
Fn
Module (70)
»
Operation Module Additional Information Success Count Logfile
Load - base_address = 0x0 False 1
Fn
Load advapi32.dll base_address = 0x769f0000 True 1
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01ENU.dll base_address = 0x0 False 4
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01LOC.dll base_address = 0x0 False 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76910000 True 8
Fn
Get Handle c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe base_address = 0x1360000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 1
Fn
Get Filename c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 2
Fn
Get Filename C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01LOC.dll process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 1024 True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76961f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76961e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76963879 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateEventExW, address_out = 0x769124d8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76942111 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76952510 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7694b009 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolTimer, address_out = 0x772589be True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7724c02a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7724c0d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76943f78 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolWait, address_out = 0x77258bfb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7724b567 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77275998 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77242251 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x772428f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76942004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76999aa9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7699f3cf True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696ebc6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatEx, address_out = 0x769af29f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLocaleInfoEx, address_out = 0x769453a5 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatEx, address_out = 0x769af21a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7699f70b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidLocaleName, address_out = 0x7699f71b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7699f72b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount64, address_out = 0x7694eb4e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x76942383 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetThreadGroupAffinity, address_out = 0x769a0226 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumberEx, address_out = 0x7729ebd3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformationEx, address_out = 0x7555f731 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsW, address_out = 0x7725865a True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = UnregisterTraceGuids, address_out = 0x7725b065 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = TraceEvent, address_out = 0x772a9d9c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceLoggerHandle, address_out = 0x77258a96 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableLevel, address_out = 0x77258aff True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableFlags, address_out = 0x77258b35 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetThreadPreferredUILanguages, address_out = 0x769522d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = RegisterApplicationRestart, address_out = 0x76943665 True 1
Fn
System (10)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 810, y_out = 451 True 1
Fn
Get Time type = System Time, time = 2018-08-09 12:05:56 (UTC) True 2
Fn
Get Time type = Ticks, time = 101182 True 4
Fn
Register Hook type = WH_MSGFILTER, hookproc_address = 0x139b40e True 1
Fn
Get Info type = Operating System True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Ini (2)
»
Operation Filename Additional Information Success Count Logfile
Read Win.ini section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 True 1
Fn
Read Win.ini section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 True 1
Fn
Process #2: 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
19031 0
»
Information Value
ID #2
File Name c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
Command Line "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" --Admin
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:31, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x9c4 (c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9DC
0x 9E0
0x 9EC
0x 9F4
0x 9F8
0x A2C
0x AC0
0x AF4
0x B20
0x B4C
0x B78
0x BA8
0x C00
0x C2C
0x C58
0x CB4
0x D14
0x D30
0x D84
0x DB4
0x DE0
0x E0C
0x E40
0x E74
0x EA0
0x ECC
0x EF8
0x F24
0x F54
0x F84
0x FB0
0x FDC
0x 8C0
0x 4D0
0x 670
0x 8A4
0x 490
0x 5FC
0x 838
0x 93C
0x 928
0x 9C0
0x A08
0x AC8
0x 9BC
0x AC4
0x B04
0x B34
0x B48
0x B84
0x BC4
0x C18
0x C40
0x C78
0x BD8
0x CE0
0x D34
0x DF4
0x E1C
0x 208
0x 4D4
0x 840
0x E6C
0x E9C
0x EBC
0x 5E0
0x 1CC
0x F20
0x F5C
0x F78
0x FAC
0x FE4
0x 48C
0x 8D4
0x 47C
0x 6E4
0x 81C
0x 6A0
0x 828
0x 5D0
0x 4F4
0x 950
0x 5E4
0x 970
0x A00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
oleaccrc.dll 0x001d0000 0x001d0fff Memory Mapped File r False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x002c7fff Pagefile Backed Memory r True False False -
private_0x00000000002d0000 0x002d0000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x00350fff Private Memory rw True False False -
pagefile_0x0000000000360000 0x00360000 0x00366fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000370000 0x00370000 0x00371fff Pagefile Backed Memory rw True False False -
private_0x0000000000380000 0x00380000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
pagefile_0x00000000004c0000 0x004c0000 0x005c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x011cffff Pagefile Backed Memory r True False False -
pagefile_0x00000000011d0000 0x011d0000 0x012aefff Pagefile Backed Memory r True False False -
pagefile_0x00000000012b0000 0x012b0000 0x012b0fff Pagefile Backed Memory rw True False False -
rpcss.dll 0x012c0000 0x0131bfff Memory Mapped File r False False False -
pagefile_0x00000000012c0000 0x012c0000 0x012c1fff Pagefile Backed Memory r True False False -
msctf.dll.mui 0x012c0000 0x012c0fff Memory Mapped File rw False False False -
pagefile_0x00000000012d0000 0x012d0000 0x012d1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000012d0000 0x012d0000 0x012d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000012e0000 0x012e0000 0x012e0fff Pagefile Backed Memory r True False False -
private_0x00000000012f0000 0x012f0000 0x012f0fff Private Memory rw True False False -
858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x01360000 0x01748fff Memory Mapped File rwx True True False
kernelbase.dll.mui 0x01750000 0x0180ffff Memory Mapped File rw False False False -
private_0x0000000001830000 0x01830000 0x0192ffff Private Memory rw True False False -
private_0x0000000001930000 0x01930000 0x0193ffff Private Memory rw True False False -
private_0x0000000001a10000 0x01a10000 0x01b0ffff Private Memory rw True False False -
sortdefault.nls 0x01b10000 0x01ddefff Memory Mapped File r False False False -
private_0x0000000001de0000 0x01de0000 0x01f9ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01edffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01f5ffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01f9ffff Private Memory rw True False False -
pagefile_0x0000000001fa0000 0x01fa0000 0x02392fff Pagefile Backed Memory r True False False -
staticcache.dat 0x023a0000 0x02ccffff Memory Mapped File r False False False -
private_0x0000000002d10000 0x02d10000 0x02e0ffff Private Memory rw True False False -
private_0x0000000002d40000 0x02d40000 0x02e3ffff Private Memory rw True False False -
imageres.dll 0x02e40000 0x04194fff Memory Mapped File r False False False -
private_0x00000000041a0000 0x041a0000 0x0429ffff Private Memory rw True False False -
private_0x00000000042f0000 0x042f0000 0x043effff Private Memory rw True False False -
private_0x0000000004440000 0x04440000 0x0453ffff Private Memory rw True False False -
private_0x0000000004540000 0x04540000 0x0463ffff Private Memory rw True False False -
private_0x0000000004640000 0x04640000 0x0473ffff Private Memory rw True False False -
private_0x0000000004740000 0x04740000 0x0483ffff Private Memory rw True False False -
private_0x0000000004810000 0x04810000 0x0490ffff Private Memory rw True False False -
private_0x0000000004860000 0x04860000 0x0495ffff Private Memory rw True False False -
private_0x0000000004920000 0x04920000 0x04a1ffff Private Memory rw True False False -
private_0x00000000049f0000 0x049f0000 0x04aeffff Private Memory rw True False False -
private_0x0000000004b90000 0x04b90000 0x04c8ffff Private Memory rw True False False -
private_0x0000000004c90000 0x04c90000 0x04d8ffff Private Memory rw True False False -
private_0x0000000004dc0000 0x04dc0000 0x04ebffff Private Memory rw True False False -
private_0x0000000004dd0000 0x04dd0000 0x04ecffff Private Memory rw True False False -
private_0x0000000004ee0000 0x04ee0000 0x04fdffff Private Memory rw True False False -
private_0x0000000004fe0000 0x04fe0000 0x050dffff Private Memory rw True False False -
private_0x0000000005190000 0x05190000 0x0528ffff Private Memory rw True False False -
private_0x00000000052a0000 0x052a0000 0x0539ffff Private Memory rw True False False -
private_0x00000000053d0000 0x053d0000 0x054cffff Private Memory rw True False False -
private_0x00000000054e0000 0x054e0000 0x055dffff Private Memory rw True False False -
private_0x0000000005640000 0x05640000 0x0573ffff Private Memory rw True False False -
private_0x00000000057e0000 0x057e0000 0x058dffff Private Memory rw True False False -
private_0x0000000005960000 0x05960000 0x05a5ffff Private Memory rw True False False -
private_0x0000000005ad0000 0x05ad0000 0x05bcffff Private Memory rw True False False -
private_0x0000000005ca0000 0x05ca0000 0x05d9ffff Private Memory rw True False False -
private_0x0000000005e90000 0x05e90000 0x05f8ffff Private Memory rw True False False -
private_0x0000000006000000 0x06000000 0x060fffff Private Memory rw True False False -
private_0x0000000006140000 0x06140000 0x0623ffff Private Memory rw True False False -
private_0x00000000062b0000 0x062b0000 0x063affff Private Memory rw True False False -
private_0x00000000063c0000 0x063c0000 0x064bffff Private Memory rw True False False -
private_0x0000000006590000 0x06590000 0x0668ffff Private Memory rw True False False -
private_0x00000000066c0000 0x066c0000 0x067bffff Private Memory rw True False False -
private_0x0000000006870000 0x06870000 0x0696ffff Private Memory rw True False False -
winmm.dll 0x6e9f0000 0x6ea21fff Memory Mapped File rwx False False False -
winspool.drv 0x70200000 0x70250fff Memory Mapped File rwx False False False -
cscapi.dll 0x705d0000 0x705dafff Memory Mapped File rwx False False False -
mpr.dll 0x71d30000 0x71d41fff Memory Mapped File rwx False False False -
browcli.dll 0x71de0000 0x71decfff Memory Mapped File rwx False False False -
davclnt.dll 0x71df0000 0x71e06fff Memory Mapped File rwx False False False -
ntlanman.dll 0x71e10000 0x71e23fff Memory Mapped File rwx False False False -
oledlg.dll 0x71e60000 0x71e7bfff Memory Mapped File rwx False False False -
davhlpr.dll 0x71f20000 0x71f27fff Memory Mapped File rwx False False False -
drprov.dll 0x71f40000 0x71f47fff Memory Mapped File rwx False False False -
msimg32.dll 0x71f50000 0x71f54fff Memory Mapped File rwx False False False -
oleacc.dll 0x72360000 0x7239bfff Memory Mapped File rwx False False False -
wkscli.dll 0x73c40000 0x73c4efff Memory Mapped File rwx False False False -
netutils.dll 0x73c50000 0x73c58fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
gdiplus.dll 0x74050000 0x741dffff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
comctl32.dll 0x74360000 0x744fdfff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
winsta.dll 0x75340000 0x75368fff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ff9d000 0x7ff9d000 0x7ff9dfff Private Memory rw True False False -
private_0x000000007ff9e000 0x7ff9e000 0x7ff9efff Private Memory rw True False False -
private_0x000000007ff9f000 0x7ff9f000 0x7ff9ffff Private Memory rw True False False -
private_0x000000007ffa0000 0x7ffa0000 0x7ffa0fff Private Memory rw True False False -
private_0x000000007ffa1000 0x7ffa1000 0x7ffa1fff Private Memory rw True False False -
private_0x000000007ffa2000 0x7ffa2000 0x7ffa2fff Private Memory rw True False False -
private_0x000000007ffa3000 0x7ffa3000 0x7ffa3fff Private Memory rw True False False -
private_0x000000007ffa4000 0x7ffa4000 0x7ffa4fff Private Memory rw True False False -
private_0x000000007ffa5000 0x7ffa5000 0x7ffa5fff Private Memory rw True False False -
private_0x000000007ffa6000 0x7ffa6000 0x7ffa6fff Private Memory rw True False False -
private_0x000000007ffa7000 0x7ffa7000 0x7ffa7fff Private Memory rw True False False -
private_0x000000007ffa8000 0x7ffa8000 0x7ffa8fff Private Memory rw True False False -
private_0x000000007ffa9000 0x7ffa9000 0x7ffa9fff Private Memory rw True False False -
private_0x000000007ffaa000 0x7ffaa000 0x7ffaafff Private Memory rw True False False -
private_0x000000007ffab000 0x7ffab000 0x7ffabfff Private Memory rw True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 81 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Process (9462)
»
Operation Process Additional Information Success Count Logfile
Create "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" --Service 2520 os_pid = 0x9e4, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 7
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 2
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 115
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 457
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 126
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 25
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 109
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 142
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 62
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 58
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 188
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 57
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 117
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 96
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 83
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 243
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 124
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 156
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 137
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 77
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 52
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 105
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 82
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 39
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 84
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 38
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 35
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 115
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 119
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 26
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 97
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 119
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 118
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 120
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 119
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 243
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 65
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 122
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 332
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 32
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 129
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 88
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 124
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 123
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 121
Fn
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 50
Fn
Module (71)
»
Operation Module Additional Information Success Count Logfile
Load - base_address = 0x0 False 1
Fn
Load advapi32.dll base_address = 0x769f0000 True 1
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01ENU.dll base_address = 0x0 False 4
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01LOC.dll base_address = 0x0 False 2
Fn
Load Comctl32.dll base_address = 0x74360000 True 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76910000 True 5
Fn
Get Handle c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe base_address = 0x1360000 True 3
Fn
Get Handle c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe base_address = 0x1360000, flags = GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Get Filename - process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 1
Fn
Get Filename c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 1
Fn
Get Filename c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 261 True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76961f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76961e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76963879 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateEventExW, address_out = 0x769124d8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76942111 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76952510 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7694b009 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolTimer, address_out = 0x772589be True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7724c02a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7724c0d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76943f78 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolWait, address_out = 0x77258bfb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7724b567 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77275998 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77242251 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x772428f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76942004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76999aa9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7699f3cf True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696ebc6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatEx, address_out = 0x769af29f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLocaleInfoEx, address_out = 0x769453a5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatEx, address_out = 0x769af21a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7699f70b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidLocaleName, address_out = 0x7699f71b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7699f72b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount64, address_out = 0x7694eb4e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x76942383 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetThreadGroupAffinity, address_out = 0x769a0226 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumberEx, address_out = 0x7729ebd3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformationEx, address_out = 0x7555f731 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsW, address_out = 0x7725865a True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = UnregisterTraceGuids, address_out = 0x7725b065 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = TraceEvent, address_out = 0x772a9d9c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceLoggerHandle, address_out = 0x77258a96 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableLevel, address_out = 0x77258aff True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableFlags, address_out = 0x77258b35 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateActCtxW, address_out = 0x76955d0f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ActivateActCtx, address_out = 0x76955911 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindActCtxSectionStringW, address_out = 0x7696c07d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeactivateActCtx, address_out = 0x76955942 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x743809ce True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create - - False 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 20479238 True 5
Fn
System (9471)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 810, y_out = 451 True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 9461
Fn
Get Time type = System Time, time = 2018-08-09 12:05:56 (UTC) True 2
Fn
Get Time type = Ticks, time = 101525 True 4
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x1371850 True 1
Fn
Get Info type = Operating System True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Ini (2)
»
Operation Filename Additional Information Success Count Logfile
Read Win.ini section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 True 1
Fn
Read Win.ini section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 True 1
Fn
Process #3: 858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
942 0
»
Information Value
ID #3
File Name c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe
Command Line "C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe" --Service 2520
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:31, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
OS Process Information
»
Information Value
PID 0x9e4
Parent PID 0x9d8 (c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9E8
0x 9F0
0x A28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
oleaccrc.dll 0x000d0000 0x000d0fff Memory Mapped File r False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00467fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000580000 0x00580000 0x0117ffff Pagefile Backed Memory r True False False -
private_0x0000000001180000 0x01180000 0x011fffff Private Memory rw True False False -
pagefile_0x0000000001200000 0x01200000 0x012defff Pagefile Backed Memory r True False False -
private_0x0000000001310000 0x01310000 0x0134ffff Private Memory rw True False False -
858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x01360000 0x01748fff Memory Mapped File rwx True True False
private_0x0000000001910000 0x01910000 0x01a0ffff Private Memory rw True False False -
winmm.dll 0x6e9f0000 0x6ea21fff Memory Mapped File rwx False False False -
winspool.drv 0x70200000 0x70250fff Memory Mapped File rwx False False False -
mpr.dll 0x71d30000 0x71d41fff Memory Mapped File rwx False False False -
oledlg.dll 0x71e60000 0x71e7bfff Memory Mapped File rwx False False False -
msimg32.dll 0x71f50000 0x71f54fff Memory Mapped File rwx False False False -
oleacc.dll 0x72360000 0x7239bfff Memory Mapped File rwx False False False -
gdiplus.dll 0x74050000 0x741dffff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
comctl32.dll 0x74360000 0x744fdfff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Process (433)
»
Operation Process Additional Information Success Count Logfile
Open c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe desired_access = SYNCHRONIZE True 433
Fn
Module (61)
»
Operation Module Additional Information Success Count Logfile
Load - base_address = 0x0 False 1
Fn
Load advapi32.dll base_address = 0x769f0000 True 1
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01ENU.dll base_address = 0x0 False 4
Fn
Load C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01LOC.dll base_address = 0x0 False 2
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76910000 True 5
Fn
Get Handle c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe base_address = 0x1360000 True 2
Fn
Get Filename - process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 1
Fn
Get Filename c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe process_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\858E70CA9281A346BF5399B181643ABA478960142637460FEA7B7D14D3192C01.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76961f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76961e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76963879 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateEventExW, address_out = 0x769124d8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76942111 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76952510 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7694b009 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolTimer, address_out = 0x772589be True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7724c02a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7724c0d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76943f78 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadpoolWait, address_out = 0x77258bfb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7724b567 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77275998 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77242251 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x772428f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76942004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76999aa9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7699f3cf True 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x7696ebc6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatEx, address_out = 0x769af29f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLocaleInfoEx, address_out = 0x769453a5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatEx, address_out = 0x769af21a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x7699f70b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidLocaleName, address_out = 0x7699f71b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7699f72b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount64, address_out = 0x7694eb4e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll address_out = 0x76942383 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetThreadGroupAffinity, address_out = 0x769a0226 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessorNumberEx, address_out = 0x7729ebd3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalProcessorInformationEx, address_out = 0x7555f731 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = RegisterTraceGuidsW, address_out = 0x7725865a True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = UnregisterTraceGuids, address_out = 0x7725b065 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = TraceEvent, address_out = 0x772a9d9c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceLoggerHandle, address_out = 0x77258a96 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableLevel, address_out = 0x77258aff True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetTraceEnableFlags, address_out = 0x77258b35 True 1
Fn
System (441)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 852, y_out = 583 True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 432
Fn
Get Time type = System Time, time = 2018-08-09 12:05:57 (UTC) True 2
Fn
Get Time type = Ticks, time = 102024 True 4
Fn
Get Info type = Operating System True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Ini (2)
»
Operation Filename Additional Information Success Count Logfile
Read Win.ini section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 True 1
Fn
Read Win.ini section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 True 1
Fn
Process #4: explorer.exe
0 0
»
Information Value
ID #4
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5ac
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 918
0x 914
0x 90C
0x 55C
0x 7A0
0x 71C
0x 734
0x 6F8
0x 6B8
0x 6B0
0x 6A8
0x 674
0x 418
0x 268
0x 150
0x 798
0x 72C
0x 708
0x 704
0x 6F8
0x 6CC
0x 6C8
0x 6C0
0x 6AC
0x 6A4
0x 67C
0x 604
0x 5F8
0x 5E8
0x 5E4
0x 5D8
0x 5BC
0x 5B0
0x A38
0x D6C
0x D70
0x F08
0x 718
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0011ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x00277fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000280000 0x00280000 0x00281fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory r True False False -
private_0x00000000002b0000 0x002b0000 0x002d6fff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x004e0fff Pagefile Backed Memory r True False False -
private_0x00000000004f0000 0x004f0000 0x00529fff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory r True False False -
private_0x0000000000540000 0x00540000 0x00599fff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x009a2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009c0000 0x009c0000 0x009c2fff Pagefile Backed Memory r True False False -
private_0x00000000009d0000 0x009d0000 0x009d3fff Private Memory rw True False False -
private_0x00000000009e0000 0x009e0000 0x009f7fff Private Memory rw True False False -
explorer.exe 0x00a00000 0x00c80fff Memory Mapped File rwx False False False -
pagefile_0x0000000000c90000 0x00c90000 0x0188ffff Pagefile Backed Memory r True False False -
private_0x0000000001890000 0x01890000 0x0198ffff Private Memory rw True False False -
private_0x0000000001990000 0x01990000 0x01a1ffff Private Memory rw True False False -
private_0x0000000001a20000 0x01a20000 0x01a2ffff Private Memory rw True False False -
private_0x0000000001a30000 0x01a30000 0x01a30fff Private Memory rw True False False -
private_0x0000000001a40000 0x01a40000 0x01a4ffff Private Memory - True False False -
private_0x0000000001a50000 0x01a50000 0x01a5ffff Private Memory rw True False False -
private_0x0000000001a60000 0x01a60000 0x01a9ffff Private Memory rw True False False -
pagefile_0x0000000001aa0000 0x01aa0000 0x01b7efff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b80000 0x01e4efff Memory Mapped File r False False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e51fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001e60000 0x01e60000 0x01e61fff Pagefile Backed Memory r True False False -
private_0x0000000001e70000 0x01e70000 0x01e70fff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01ebffff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01efffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f3ffff Private Memory rw True False False -
comctl32.dll.mui 0x01f40000 0x01f42fff Memory Mapped File rw False False False -
private_0x0000000001f50000 0x01f50000 0x01f5ffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01f6ffff Private Memory rw True False False -
private_0x0000000001f70000 0x01f70000 0x01f7ffff Private Memory rw True False False -
private_0x0000000001f80000 0x01f80000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x01f9ffff Private Memory rw True False False -
private_0x0000000001fa0000 0x01fa0000 0x01faffff Private Memory rw True False False -
private_0x0000000001fb0000 0x01fb0000 0x01fbffff Private Memory rw True False False -
private_0x0000000001fc0000 0x01fc0000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x01fdffff Private Memory rw True False False -
private_0x0000000001fe0000 0x01fe0000 0x01feffff Private Memory rw True False False -
pagefile_0x0000000001ff0000 0x01ff0000 0x01ff1fff Pagefile Backed Memory r True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x0208ffff Private Memory rw True False False -
private_0x0000000002090000 0x02090000 0x02090fff Private Memory rw True False False -
private_0x00000000020a0000 0x020a0000 0x020a0fff Private Memory rw True False False -
private_0x00000000020b0000 0x020b0000 0x020b0fff Private Memory rw True False False -
private_0x00000000020c0000 0x020c0000 0x020c3fff Private Memory rw True False False -
private_0x00000000020d0000 0x020d0000 0x020d7fff Private Memory rw True False False -
pagefile_0x00000000020f0000 0x020f0000 0x020f0fff Pagefile Backed Memory rw True False False -
private_0x0000000002100000 0x02100000 0x02108fff Private Memory rw True False False -
private_0x0000000002110000 0x02110000 0x02110fff Private Memory rw True False False -
private_0x0000000002120000 0x02120000 0x0212ffff Private Memory rw True False False -
thumbcache_96.db 0x02130000 0x0222ffff Memory Mapped File rw True False False -
pagefile_0x0000000002230000 0x02230000 0x02231fff Pagefile Backed Memory r True False False -
index.dat 0x02240000 0x0226bfff Memory Mapped File rw True False False -
index.dat 0x02270000 0x02277fff Memory Mapped File rw True False False -
index.dat 0x02280000 0x0228ffff Memory Mapped File rw True False False -
urlmon.dll.mui 0x02290000 0x02297fff Memory Mapped File rw False False False -
pagefile_0x00000000022a0000 0x022a0000 0x022a0fff Pagefile Backed Memory rw True False False -
index.dat 0x022b0000 0x022effff Memory Mapped File rw True False False -
index.dat 0x022f0000 0x022fffff Memory Mapped File rw True False False -
thumbcache_32.db 0x02300000 0x02300fff Memory Mapped File rw True False False -
thumbcache_1024.db 0x02310000 0x02310fff Memory Mapped File rw True False False -
thumbcache_sr.db 0x02320000 0x02320fff Memory Mapped File rw True False False -
private_0x0000000002330000 0x02330000 0x02355fff Private Memory rw True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x02360000 0x0237efff Memory Mapped File r True False False -
pagefile_0x0000000002380000 0x02380000 0x02380fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x02390000 0x02393fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x023a0000 0x023cffff Memory Mapped File r True False False -
cversions.2.db 0x023d0000 0x023d3fff Memory Mapped File r True False False -
pagefile_0x00000000023e0000 0x023e0000 0x023e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000023f0000 0x023f0000 0x023f1fff Pagefile Backed Memory r True False False -
private_0x0000000002400000 0x02400000 0x02400fff Private Memory rw True False False -
private_0x0000000002410000 0x02410000 0x02413fff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0245ffff Private Memory rw True False False -
private_0x0000000002460000 0x02460000 0x0249ffff Private Memory rw True False False -
private_0x00000000024a0000 0x024a0000 0x024a3fff Private Memory rw True False False -
pagefile_0x00000000024b0000 0x024b0000 0x024b1fff Pagefile Backed Memory r True False False -
private_0x00000000024c0000 0x024c0000 0x024fffff Private Memory rw True False False -
private_0x0000000002500000 0x02500000 0x02500fff Private Memory rw True False False -
private_0x0000000002510000 0x02510000 0x02510fff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x02520fff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x02530fff Private Memory rw True False False -
private_0x0000000002540000 0x02540000 0x0257ffff Private Memory rw True False False -
staticcache.dat 0x02580000 0x02eaffff Memory Mapped File r False False False -
pagefile_0x0000000002eb0000 0x02eb0000 0x02eb0fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002ec0000 0x02ec0000 0x02ec1fff Pagefile Backed Memory r True False False -
cversions.2.db 0x02ed0000 0x02ed3fff Memory Mapped File r True False False -
pagefile_0x0000000002ee0000 0x02ee0000 0x02ee1fff Pagefile Backed Memory r True False False -
{0b09c990-dfff-4f54-a0f7-84dceb6a5b2b}.2.ver0x0000000000000001.db 0x02ef0000 0x02ef0fff Memory Mapped File r True False False -
cversions.2.db 0x02f00000 0x02f03fff Memory Mapped File r True False False -
private_0x0000000002f10000 0x02f10000 0x02f10fff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02f20000 0x02f85fff Memory Mapped File r True False False -
private_0x0000000002f90000 0x02f90000 0x0308ffff Private Memory rw True False False -
pagefile_0x0000000003090000 0x03090000 0x03091fff Pagefile Backed Memory r True False False -
cversions.2.db 0x030a0000 0x030a3fff Memory Mapped File r True False False -
private_0x00000000030b0000 0x030b0000 0x030b0fff Private Memory rwx True False False -
pagefile_0x00000000030c0000 0x030c0000 0x030c1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000030d0000 0x030d0000 0x030d1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000030e0000 0x030e0000 0x030e1fff Pagefile Backed Memory r True False False -
private_0x00000000030f0000 0x030f0000 0x030f0fff Private Memory rw True False False -
private_0x0000000003100000 0x03100000 0x03100fff Private Memory rw True False False -
private_0x0000000003110000 0x03110000 0x0314ffff Private Memory rw True False False -
private_0x0000000003150000 0x03150000 0x03150fff Private Memory rw True False False -
thumbcache_32.db 0x03160000 0x03160fff Memory Mapped File rw True False False -
thumbcache_96.db 0x03170000 0x03170fff Memory Mapped File rw True False False -
thumbcache_1024.db 0x03180000 0x03180fff Memory Mapped File rw True False False -
{e09a7d78-232a-4473-ac51-d6dfbb0b032a}.2.ver0x0000000000000002.db 0x03190000 0x03190fff Memory Mapped File r True False False -
cversions.2.db 0x031e0000 0x031e3fff Memory Mapped File r True False False -
{7a77eb19-3f1f-481b-a465-50389a60f663}.2.ver0x0000000000000001.db 0x031f0000 0x031f0fff Memory Mapped File r True False False -
thumbcache_sr.db 0x03200000 0x03200fff Memory Mapped File rw True False False -
thumbcache_idx.db 0x03210000 0x03210fff Memory Mapped File rw True False False -
thumbcache_32.db 0x03220000 0x03220fff Memory Mapped File rw True False False -
private_0x0000000003230000 0x03230000 0x0326ffff Private Memory rw True False False -
private_0x0000000003270000 0x03270000 0x032affff Private Memory rw True False False -
private_0x00000000032b0000 0x032b0000 0x032b0fff Private Memory rw True False False -
private_0x00000000032c0000 0x032c0000 0x032c0fff Private Memory rw True False False -
private_0x00000000032d0000 0x032d0000 0x032d0fff Private Memory rw True False False -
private_0x00000000032e0000 0x032e0000 0x032e0fff Private Memory rw True False False -
private_0x00000000032f0000 0x032f0000 0x032f0fff Private Memory rw True False False -
thumbcache_idx.db 0x03300000 0x03300fff Memory Mapped File rw True False False -
pagefile_0x0000000003310000 0x03310000 0x03310fff Pagefile Backed Memory r True False False -
wdmaud.drv.mui 0x03320000 0x03320fff Memory Mapped File rw False False False -
private_0x0000000003330000 0x03330000 0x03332fff Private Memory rw True False False -
thumbcache_1024.db 0x03380000 0x03380fff Memory Mapped File rw True False False -
private_0x0000000003390000 0x03390000 0x03390fff Private Memory rw True False False -
private_0x00000000033a0000 0x033a0000 0x033a0fff Private Memory rw True False False -
pagefile_0x00000000033b0000 0x033b0000 0x033b1fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x033c0000 0x033c0fff Memory Mapped File r False False False -
private_0x00000000033d0000 0x033d0000 0x034cffff Private Memory rw True False False -
private_0x00000000034d0000 0x034d0000 0x0350ffff Private Memory rw True False False -
private_0x0000000003510000 0x03510000 0x0354ffff Private Memory rw True False False -
private_0x0000000003550000 0x03550000 0x03582fff Private Memory rw True False False -
For performance reasons, the remaining 246 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #5: taskhost.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x540
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 488
0x 46C
0x 4B4
0x 430
0x 424
0x 218
0x 1E4
0x 570
0x 560
0x 554
0x 544
0x A04
0x A20
0x A24
0x AC4
0x AE0
0x AF8
0x B14
0x B24
0x B40
0x B50
0x B6C
0x B7C
0x B98
0x BAC
0x BC8
0x C04
0x C20
0x C30
0x C4C
0x C5C
0x C78
0x CC4
0x CE0
0x D34
0x D50
0x D88
0x DA8
0x DB8
0x DD4
0x DE4
0x E00
0x E14
0x E10
0x E30
0x E48
0x E64
0x E78
0x E94
0x EA4
0x EC0
0x ED0
0x EEC
0x EFC
0x F18
0x F28
0x F44
0x F58
0x F74
0x F88
0x FA4
0x FB4
0x FD0
0x FE0
0x FFC
0x 8BC
0x 8E4
0x 8D8
0x 6EC
0x 8FC
0x 848
0x 894
0x 854
0x 730
0x 12C
0x 174
0x 828
0x 83C
0x 694
0x 960
0x 94C
0x 938
0x 974
0x 90C
0x 9C4
0x A0C
0x A20
0x ACC
0x 990
0x 9B8
0x AE8
0x AD8
0x 210
0x B10
0x AF8
0x B38
0x B54
0x B6C
0x B94
0x BA0
0x BC0
0x C08
0x C14
0x C38
0x C3C
0x C70
0x C7C
0x 7DC
0x BD4
0x CD4
0x D28
0x D48
0x D50
0x DA0
0x DF0
0x E18
0x 138
0x 6D0
0x BA4
0x 37C
0x 90
0x 448
0x 188
0x E64
0x E70
0x E84
0x 310
0x EA8
0x EB8
0x ED4
0x EE8
0x EF4
0x 518
0x F0C
0x F2C
0x F44
0x F4C
0x F60
0x F64
0x 684
0x F88
0x FB8
0x FD0
0x FE8
0x 87C
0x 88C
0x 8E4
0x 8EC
0x 8C4
0x 864
0x 848
0x 86C
0x 854
0x 65C
0x 64
0x 40C
0x 174
0x CB8
0x 9F8
0x 180
0x 2A8
0x 92C
0x 930
0x 948
0x 97C
0x 968
0x 90C
0x B0
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x0011ffff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
msutb.dll.mui 0x00160000 0x00161fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x00297fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002b0fff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002c0fff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory r True False False -
wdmaud.drv.mui 0x00320000 0x00320fff Memory Mapped File rw False False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x00932fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x00a1efff Pagefile Backed Memory r True False False -
private_0x0000000000a20000 0x00a20000 0x00a5ffff Private Memory rw True False False -
private_0x0000000000a60000 0x00a60000 0x00a9ffff Private Memory rw True False False -
mmdevapi.dll.mui 0x00aa0000 0x00aa0fff Memory Mapped File rw False False False -
private_0x0000000000ab0000 0x00ab0000 0x00ab1fff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00b0ffff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory rw True False False -
private_0x0000000000bc0000 0x00bc0000 0x00bfffff Private Memory rw True False False -
private_0x0000000000c00000 0x00c00000 0x00c7ffff Private Memory rw True False False -
private_0x0000000000d00000 0x00d00000 0x00d3ffff Private Memory rw True False False -
private_0x0000000000d50000 0x00d50000 0x00d8ffff Private Memory rw True False False -
private_0x0000000000dc0000 0x00dc0000 0x00dfffff Private Memory rw True False False -
private_0x0000000000e00000 0x00e00000 0x00e3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00e50000 0x00f0ffff Memory Mapped File rw False False False -
taskhost.exe 0x00f40000 0x00f4efff Memory Mapped File rwx False False False -
pagefile_0x0000000000f50000 0x00f50000 0x01b4ffff Pagefile Backed Memory r True False False -
private_0x0000000001b50000 0x01b50000 0x01b8ffff Private Memory rw True False False -
private_0x0000000001b90000 0x01b90000 0x01c8ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01eaffff Private Memory rw True False False -
sortdefault.nls 0x01eb0000 0x0217efff Memory Mapped File r False False False -
private_0x0000000002180000 0x02180000 0x02581fff Private Memory rw True False False -
audioses.dll 0x6e560000 0x6e595fff Memory Mapped File rwx False False False -
npmproxy.dll 0x6e700000 0x6e707fff Memory Mapped File rwx False False False -
dimsjob.dll 0x6e810000 0x6e81afff Memory Mapped File rwx False False False -
netprofm.dll 0x6e8a0000 0x6e8f9fff Memory Mapped File rwx False False False -
wdmaud.drv 0x6e9c0000 0x6e9effff Memory Mapped File rwx False False False -
winmm.dll 0x6e9f0000 0x6ea21fff Memory Mapped File rwx False False False -
ksuser.dll 0x6eef0000 0x6eef3fff Memory Mapped File rwx False False False -
playsndsrv.dll 0x704e0000 0x704f5fff Memory Mapped File rwx False False False -
msutb.dll 0x70510000 0x7053bfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x70540000 0x70547fff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x71d20000 0x71d28fff Memory Mapped File rwx False False False -
slc.dll 0x73870000 0x73879fff Memory Mapped File rwx False False False -
dsrole.dll 0x73880000 0x73888fff Memory Mapped File rwx False False False -
nlaapi.dll 0x738f0000 0x738fffff Memory Mapped File rwx False False False -
taskschd.dll 0x739e0000 0x73a5cfff Memory Mapped File rwx False False False -
avrt.dll 0x73b40000 0x73b46fff Memory Mapped File rwx False False False -
midimap.dll 0x73c80000 0x73c86fff Memory Mapped File rwx False False False -
msacm32.dll 0x73c90000 0x73ca3fff Memory Mapped File rwx False False False -
msacm32.drv 0x73cb0000 0x73cb7fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73d60000 0x73d6cfff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x73ed0000 0x73f08fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
propsys.dll 0x74220000 0x74314fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
winsta.dll 0x75340000 0x75368fff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
devobj.dll 0x75400000 0x75411fff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75590000 0x755b6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
setupapi.dll 0x764b0000 0x7664cfff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #6: taskeng.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {7737867F-ACDD-43AC-B745-B8B549957EED} S-1-5-21-3785418085-2572485238-895829336-1000:CRH2YWU7\EEBsYm5:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:03:42
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x58c
Parent PID 0x358 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 524
0x 5E0
0x 5DC
0x 5A0
0x 594
0x 590
0x AAC
0x 6D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002f0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0057ffff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x009a2fff Pagefile Backed Memory r True False False -
private_0x0000000000a60000 0x00a60000 0x00a9ffff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory rw True False False -
sortdefault.nls 0x00b30000 0x00dfefff Memory Mapped File r False False False -
private_0x0000000000e10000 0x00e10000 0x00e4ffff Private Memory rw True False False -
pagefile_0x0000000000e50000 0x00e50000 0x00f2efff Pagefile Backed Memory r True False False -
taskeng.exe 0x00f30000 0x00f5ffff Memory Mapped File rwx False False False -
pagefile_0x0000000000f60000 0x00f60000 0x01b5ffff Pagefile Backed Memory r True False False -
private_0x0000000001b80000 0x01b80000 0x01bbffff Private Memory rw True False False -
private_0x0000000001c20000 0x01c20000 0x01c5ffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01d8ffff Private Memory rw True False False -
tschannel.dll 0x70500000 0x70507fff Memory Mapped File rwx False False False -
xmllite.dll 0x73e80000 0x73eaefff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #7: dwm.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x598
Parent PID 0x330 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 53C
0x 6DC
0x 5B4
0x 5A8
0x 59C
0x AB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
pagefile_0x0000000000160000 0x00160000 0x00227fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x004b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004c0000 0x004c0000 0x008b2fff Pagefile Backed Memory r True False False -
private_0x00000000008c0000 0x008c0000 0x0093ffff Private Memory rw True False False -
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory rw True False False -
pagefile_0x0000000000960000 0x00960000 0x00a3efff Pagefile Backed Memory r True False False -
private_0x0000000000a70000 0x00a70000 0x00aaffff Private Memory rw True False False -
private_0x0000000000b00000 0x00b00000 0x00b3ffff Private Memory rw True False False -
private_0x0000000000bc0000 0x00bc0000 0x00bfffff Private Memory rw True False False -
sortdefault.nls 0x00c00000 0x00ecefff Memory Mapped File r False False False -
dwm.exe 0x00f30000 0x00f49fff Memory Mapped File rwx False False False -
pagefile_0x0000000000f50000 0x00f50000 0x01b4ffff Pagefile Backed Memory r True False False -
private_0x0000000001b50000 0x01b50000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d5ffff Private Memory rw True False False -
dxgi.dll 0x71aa0000 0x71b22fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x71b30000 0x71b69fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x71b70000 0x71b9bfff Memory Mapped File rwx False False False -
dwmcore.dll 0x71ba0000 0x71cf0fff Memory Mapped File rwx False False False -
dwmredir.dll 0x71d00000 0x71d1afff Memory Mapped File rwx False False False -
windowscodecs.dll 0x73d80000 0x73e7afff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
wintrust.dll 0x75650000 0x7567cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
psapi.dll 0x75820000 0x75824fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #8: publish eclipse.exe
0 0
»
Information Value
ID #8
File Name c:\program files\dvd maker\publish eclipse.exe
Command Line "C:\Program Files\DVD Maker\publish eclipse.exe"
Initial Working Directory C:\Program Files\DVD Maker\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x7ac
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 240
0x A8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
publish eclipse.exe 0x00040000 0x00056fff Memory Mapped File rwx False False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
locale.nls 0x001c0000 0x00226fff Memory Mapped File r False False False -
pagefile_0x0000000000230000 0x00230000 0x002f7fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00500fff Pagefile Backed Memory r True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
pagefile_0x0000000000580000 0x00580000 0x0117ffff Pagefile Backed Memory r True False False -
private_0x0000000001210000 0x01210000 0x0124ffff Private Memory rw True False False -
pagefile_0x0000000001250000 0x01250000 0x0132efff Pagefile Backed Memory r True False False -
private_0x0000000001330000 0x01330000 0x0142ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #9: believes.exe
0 0
»
Information Value
ID #9
File Name c:\program files\microsoft office\believes.exe
Command Line "C:\Program Files\Microsoft Office\believes.exe"
Initial Working Directory C:\Program Files\Microsoft Office\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x234
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 390
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00357fff Pagefile Backed Memory r True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00610fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x006fefff Pagefile Backed Memory r True False False -
private_0x0000000000840000 0x00840000 0x0093ffff Private Memory rw True False False -
believes.exe 0x00aa0000 0x00ab6fff Memory Mapped File rwx False False False -
pagefile_0x0000000000ac0000 0x00ac0000 0x016bffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #10: draws-gpl-op.exe
0 0
»
Information Value
ID #10
File Name c:\program files\microsoft office\draws-gpl-op.exe
Command Line "C:\Program Files\Microsoft Office\draws-gpl-op.exe"
Initial Working Directory C:\Program Files\Microsoft Office\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x508
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 63C
0x A88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
locale.nls 0x00190000 0x001f6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00487fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000490000 0x00490000 0x00590fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x0067efff Pagefile Backed Memory r True False False -
private_0x00000000006d0000 0x006d0000 0x0070ffff Private Memory rw True False False -
private_0x00000000007f0000 0x007f0000 0x008effff Private Memory rw True False False -
draws-gpl-op.exe 0x00b00000 0x00b16fff Memory Mapped File rwx False False False -
pagefile_0x0000000000b20000 0x00b20000 0x0171ffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #11: shemales.exe
0 0
»
Information Value
ID #11
File Name c:\program files\mozilla maintenance service\shemales.exe
Command Line "C:\Program Files\Mozilla Maintenance Service\shemales.exe"
Initial Working Directory C:\Program Files\Mozilla Maintenance Service\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x45c
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 30C
0x A78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00317fff Pagefile Backed Memory r True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x006defff Pagefile Backed Memory r True False False -
private_0x0000000000700000 0x00700000 0x0073ffff Private Memory rw True False False -
private_0x0000000000920000 0x00920000 0x00a1ffff Private Memory rw True False False -
shemales.exe 0x00da0000 0x00db6fff Memory Mapped File rwx False False False -
pagefile_0x0000000000dc0000 0x00dc0000 0x019bffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #12: clan-down.exe
0 0
»
Information Value
ID #12
File Name c:\program files\reference assemblies\clan-down.exe
Command Line "C:\Program Files\Reference Assemblies\clan-down.exe"
Initial Working Directory C:\Program Files\Reference Assemblies\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x140
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4E8
0x A7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
clan-down.exe 0x000d0000 0x000e6fff Memory Mapped File rwx False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x004e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x011fffff Pagefile Backed Memory r True False False -
private_0x0000000001290000 0x01290000 0x012cffff Private Memory rw True False False -
pagefile_0x00000000012d0000 0x012d0000 0x013aefff Pagefile Backed Memory r True False False -
private_0x0000000001470000 0x01470000 0x0156ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #13: naples-may.exe
0 0
»
Information Value
ID #13
File Name c:\program files\microsoft visual studio 8\naples-may.exe
Command Line "C:\Program Files\Microsoft Visual Studio 8\naples-may.exe"
Initial Working Directory C:\Program Files\Microsoft Visual Studio 8\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x7e0
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 678
0x A80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
pagefile_0x00000000001e0000 0x001e0000 0x002a7fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x0062efff Pagefile Backed Memory r True False False -
private_0x0000000000770000 0x00770000 0x0086ffff Private Memory rw True False False -
naples-may.exe 0x00d10000 0x00d26fff Memory Mapped File rwx False False False -
pagefile_0x0000000000d30000 0x00d30000 0x0192ffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #14: l_meetup.exe
0 0
»
Information Value
ID #14
File Name c:\program files\google\l_meetup.exe
Command Line "C:\Program Files\Google\l_meetup.exe"
Initial Working Directory C:\Program Files\Google\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x610
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6F0
0x A74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x002d7fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x004e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004f0000 0x004f0000 0x010effff Pagefile Backed Memory r True False False -
l_meetup.exe 0x01100000 0x01116fff Memory Mapped File rwx False False False -
pagefile_0x0000000001120000 0x01120000 0x011fefff Pagefile Backed Memory r True False False -
private_0x0000000001210000 0x01210000 0x0124ffff Private Memory rw True False False -
private_0x00000000012b0000 0x012b0000 0x013affff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #15: thou_blah_thanks.exe
0 0
»
Information Value
ID #15
File Name c:\program files\microsoft analysis services\thou_blah_thanks.exe
Command Line "C:\Program Files\Microsoft Analysis Services\thou_blah_thanks.exe"
Initial Working Directory C:\Program Files\Microsoft Analysis Services\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x318
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 404
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x00560fff Pagefile Backed Memory r True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x006aefff Pagefile Backed Memory r True False False -
private_0x00000000007a0000 0x007a0000 0x007dffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x00a9ffff Private Memory rw True False False -
thou_blah_thanks.exe 0x00f10000 0x00f26fff Memory Mapped File rwx False False False -
pagefile_0x0000000000f30000 0x00f30000 0x01b2ffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #16: msn arg.exe
0 0
»
Information Value
ID #16
File Name c:\program files\microsoft synchronization services\msn arg.exe
Command Line "C:\Program Files\Microsoft Synchronization Services\msn arg.exe"
Initial Working Directory C:\Program Files\Microsoft Synchronization Services\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x458
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 128
0x A6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x00437fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x0062efff Pagefile Backed Memory r True False False -
private_0x0000000000660000 0x00660000 0x0069ffff Private Memory rw True False False -
private_0x0000000000820000 0x00820000 0x0091ffff Private Memory rw True False False -
msn arg.exe 0x00970000 0x00986fff Memory Mapped File rwx False False False -
pagefile_0x0000000000990000 0x00990000 0x0158ffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #17: schedulespackets.exe
0 0
»
Information Value
ID #17
File Name c:\program files\msbuild\schedulespackets.exe
Command Line "C:\Program Files\MSBuild\schedulespackets.exe"
Initial Working Directory C:\Program Files\MSBuild\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x14c
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 584
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
schedulespackets.exe 0x001d0000 0x001e6fff Memory Mapped File rwx False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
locale.nls 0x00320000 0x00386fff Memory Mapped File r False False False -
pagefile_0x0000000000390000 0x00390000 0x00457fff Pagefile Backed Memory r True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x011fffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001200000 0x01200000 0x012defff Pagefile Backed Memory r True False False -
private_0x00000000013d0000 0x013d0000 0x0140ffff Private Memory rw True False False -
private_0x00000000014b0000 0x014b0000 0x015affff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #18: individuals.exe
0 0
»
Information Value
ID #18
File Name c:\program files\reference assemblies\individuals.exe
Command Line "C:\Program Files\Reference Assemblies\individuals.exe"
Initial Working Directory C:\Program Files\Reference Assemblies\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x520
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 118
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
individuals.exe 0x001f0000 0x00206fff Memory Mapped File rwx False False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x00377fff Pagefile Backed Memory r True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x011fffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001200000 0x01200000 0x012defff Pagefile Backed Memory r True False False -
private_0x00000000013a0000 0x013a0000 0x013dffff Private Memory rw True False False -
private_0x0000000001560000 0x01560000 0x0165ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #19: protocols.exe
0 0
»
Information Value
ID #19
File Name c:\program files\microsoft synchronization services\protocols.exe
Command Line "C:\Program Files\Microsoft Synchronization Services\protocols.exe"
Initial Working Directory C:\Program Files\Microsoft Synchronization Services\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x744
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 328
0x A5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
pagefile_0x0000000000360000 0x00360000 0x00427fff Pagefile Backed Memory r True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x005e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x006cefff Pagefile Backed Memory r True False False -
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory rw True False False -
protocols.exe 0x00860000 0x00876fff Memory Mapped File rwx False False False -
pagefile_0x0000000000880000 0x00880000 0x0147ffff Pagefile Backed Memory r True False False -
private_0x0000000001560000 0x01560000 0x0165ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #20: colleges wind bread.exe
0 0
»
Information Value
ID #20
File Name c:\program files\microsoft sync framework\colleges wind bread.exe
Command Line "C:\Program Files\Microsoft Sync Framework\colleges wind bread.exe"
Initial Working Directory C:\Program Files\Microsoft Sync Framework\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x360
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 49C
0x A60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
colleges wind bread.exe 0x00130000 0x00146fff Memory Mapped File rwx False False False -
pagefile_0x0000000000150000 0x00150000 0x00217fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x00640fff Pagefile Backed Memory r True False False -
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory rw True False False -
pagefile_0x0000000000710000 0x00710000 0x0130ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001310000 0x01310000 0x013eefff Pagefile Backed Memory r True False False -
private_0x0000000001510000 0x01510000 0x0160ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #21: correction ti.exe
0 0
»
Information Value
ID #21
File Name c:\program files\windows journal\correction ti.exe
Command Line "C:\Program Files\Windows Journal\correction ti.exe"
Initial Working Directory C:\Program Files\Windows Journal\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x308
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 42C
0x A64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0015ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
pagefile_0x0000000000270000 0x00270000 0x00337fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000340000 0x00340000 0x0041efff Pagefile Backed Memory r True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x00620fff Pagefile Backed Memory r True False False -
private_0x0000000000730000 0x00730000 0x0082ffff Private Memory rw True False False -
correction ti.exe 0x00f60000 0x00f76fff Memory Mapped File rwx False False False -
pagefile_0x0000000000f80000 0x00f80000 0x01b7ffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #22: producing_install.exe
0 0
»
Information Value
ID #22
File Name c:\program files\windows photo viewer\producing_install.exe
Command Line "C:\Program Files\Windows Photo Viewer\producing_install.exe"
Initial Working Directory C:\Program Files\Windows Photo Viewer\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x2dc
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 804
0x A48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x003b0fff Pagefile Backed Memory r True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x0061efff Pagefile Backed Memory r True False False -
producing_install.exe 0x00800000 0x00816fff Memory Mapped File rwx False False False -
pagefile_0x0000000000820000 0x00820000 0x0141ffff Pagefile Backed Memory r True False False -
private_0x0000000001490000 0x01490000 0x0158ffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #23: casa directors.exe
0 0
»
Information Value
ID #23
File Name c:\program files\windows media player\casa directors.exe
Command Line "C:\Program Files\Windows Media Player\casa directors.exe"
Initial Working Directory C:\Program Files\Windows Media Player\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x7c8
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 51C
0x A4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
casa directors.exe 0x00310000 0x00326fff Memory Mapped File rwx False False False -
pagefile_0x0000000000330000 0x00330000 0x003f7fff Pagefile Backed Memory r True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x005e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x011effff Pagefile Backed Memory r True False False -
private_0x00000000012c0000 0x012c0000 0x012fffff Private Memory rw True False False -
pagefile_0x0000000001300000 0x01300000 0x013defff Pagefile Backed Memory r True False False -
private_0x00000000015c0000 0x015c0000 0x016bffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #24: rhsublime.exe
0 0
»
Information Value
ID #24
File Name c:\program files\reference assemblies\rhsublime.exe
Command Line "C:\Program Files\Reference Assemblies\rhsublime.exe"
Initial Working Directory C:\Program Files\Reference Assemblies\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x2ac
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 754
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00390fff Pagefile Backed Memory r True False False -
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x005eefff Pagefile Backed Memory r True False False -
private_0x0000000000600000 0x00600000 0x0063ffff Private Memory rw True False False -
private_0x00000000006a0000 0x006a0000 0x006affff Private Memory rw True False False -
private_0x0000000000730000 0x00730000 0x0082ffff Private Memory rw True False False -
rhsublime.exe 0x00eb0000 0x00ec6fff Memory Mapped File rwx False False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x01acffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #25: lions_commands.exe
0 0
»
Information Value
ID #25
File Name c:\program files\mozilla maintenance service\lions_commands.exe
Command Line "C:\Program Files\Mozilla Maintenance Service\lions_commands.exe"
Initial Working Directory C:\Program Files\Mozilla Maintenance Service\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x588
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C4
0x A54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x00377fff Pagefile Backed Memory r True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x005b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x0069efff Pagefile Backed Memory r True False False -
private_0x00000000007e0000 0x007e0000 0x008dffff Private Memory rw True False False -
lions_commands.exe 0x00bb0000 0x00bc6fff Memory Mapped File rwx False False False -
pagefile_0x0000000000bd0000 0x00bd0000 0x017cffff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #26: resulted spanish.exe
0 0
»
Information Value
ID #26
File Name c:\program files\msbuild\resulted spanish.exe
Command Line "C:\Program Files\MSBuild\resulted spanish.exe"
Initial Working Directory C:\Program Files\MSBuild\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x810
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 814
0x A44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x00377fff Pagefile Backed Memory r True False False -
resulted spanish.exe 0x003b0000 0x003c6fff Memory Mapped File rwx False False False -
pagefile_0x00000000003d0000 0x003d0000 0x004aefff Pagefile Backed Memory r True False False -
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory rw True False False -
pagefile_0x00000000005c0000 0x005c0000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x012cffff Pagefile Backed Memory r True False False -
private_0x0000000001450000 0x01450000 0x0148ffff Private Memory rw True False False -
private_0x00000000014c0000 0x014c0000 0x015bffff Private Memory rw True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #27: taste_regulated.exe
0 0
»
Information Value
ID #27
File Name c:\program files\windows photo viewer\taste_regulated.exe
Command Line "C:\Program Files\Windows Photo Viewer\taste_regulated.exe"
Initial Working Directory C:\Program Files\Windows Photo Viewer\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x830
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
0x A3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
taste_regulated.exe 0x00280000 0x00296fff Memory Mapped File rwx False False False -
locale.nls 0x002a0000 0x00306fff Memory Mapped File r False False False -
pagefile_0x0000000000310000 0x00310000 0x003d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003e0000 0x003e0000 0x004e0fff Pagefile Backed Memory r True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x0110ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001110000 0x01110000 0x011eefff Pagefile Backed Memory r True False False -
private_0x0000000001290000 0x01290000 0x012cffff Private Memory rw True False False -
private_0x0000000001380000 0x01380000 0x013bffff Private Memory rw True False False -
staticcache.dat 0x013c0000 0x01ceffff Memory Mapped File r False False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #28: bo-optical-jar.exe
0 0
»
Information Value
ID #28
File Name c:\program files\windows mail\bo-optical-jar.exe
Command Line "C:\Program Files\Windows Mail\bo-optical-jar.exe"
Initial Working Directory C:\Program Files\Windows Mail\
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
Remark This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis.
OS Process Information
»
Information Value
PID 0x820
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 824
0x A40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002b7fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x005e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x006cefff Pagefile Backed Memory r True False False -
private_0x0000000000880000 0x00880000 0x008bffff Private Memory rw True False False -
private_0x00000000008c0000 0x008c0000 0x009bffff Private Memory rw True False False -
bo-optical-jar.exe 0x00c70000 0x00c86fff Memory Mapped File rwx False False False -
pagefile_0x0000000000c90000 0x00c90000 0x0188ffff Pagefile Backed Memory r True False False -
staticcache.dat 0x01890000 0x021bffff Memory Mapped File r False False False -
pagefile_0x00000000021c0000 0x021c0000 0x025b2fff Pagefile Backed Memory r True False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Inject File #2: c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe 0x9dc file_name = c:\users\eebsym5\desktop\858e70ca9281a346bf5399b181643aba478960142637460fea7b7d14d3192c01.exe False 1
Fn
Process #29: csrss.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\csrss.exe
Command Line %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:00:31, Reason: Injection
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:55
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x184
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 1D4
0x 1C8
0x 1BC
0x 1A8
0x 1A4
0x 1A0
0x 19C
0x 188
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x (null) 0x00000000 0x000fffff Private Memory rw True False False -
locale.nls 0x00100000 0x00166fff Memory Mapped File r False False False -
pagefile_0x0000000000170000 0x00170000 0x00176fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
vgasys.fon 0x001a0000 0x001a1fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001fffff Pagefile Backed Memory rw True False False -
marlett.ttf 0x00200000 0x00206fff Memory Mapped File r False False False -
pagefile_0x0000000000210000 0x00210000 0x0022ffff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
segoeui.ttf 0x00240000 0x002befff Memory Mapped File r False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002cffff Pagefile Backed Memory r True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x0054ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x0055ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000560000 0x00560000 0x0056ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x0057ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000580000 0x00580000 0x0058ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000590000 0x00590000 0x0059ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005affff Pagefile Backed Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005effff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005fffff Pagefile Backed Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000610000 0x00610000 0x00a02fff Pagefile Backed Memory r True False False -
micross.ttf 0x00a10000 0x00aaffff Memory Mapped File r False False False -
vgaoem.fon 0x00ab0000 0x00ab1fff Memory Mapped File r False False False -
private_0x0000000000ac0000 0x00ac0000 0x00afffff Private Memory rw True False False -
pagefile_0x0000000000b00000 0x00b00000 0x00bc7fff Pagefile Backed Memory r True False False -
private_0x0000000000bd0000 0x00bd0000 0x00c0ffff Private Memory rw True False False -
private_0x0000000000c10000 0x00c10000 0x00c4ffff Private Memory rw True False False -
private_0x0000000000c50000 0x00c50000 0x00c8ffff Private Memory rw True False False -
pagefile_0x0000000000c90000 0x00c90000 0x0188ffff Pagefile Backed Memory r True False False -
segoeuii.ttf 0x01890000 0x018eefff Memory Mapped File r False False False -
dosapp.fon 0x018f0000 0x018f8fff Memory Mapped File r False False False -
cga40woa.fon 0x01900000 0x01901fff Memory Mapped File r False False False -
cga80woa.fon 0x01910000 0x01911fff Memory Mapped File r False False False -
ega40woa.fon 0x01920000 0x01922fff Memory Mapped File r False False False -
pagefile_0x0000000001930000 0x01930000 0x0193ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001940000 0x01940000 0x0194ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001950000 0x01950000 0x0195ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001960000 0x01960000 0x0196ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001970000 0x01970000 0x0197ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001980000 0x01980000 0x0198ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001990000 0x01990000 0x0199ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019a0000 0x019a0000 0x019affff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019b0000 0x019b0000 0x019bffff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019c0000 0x019c0000 0x019cffff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019d0000 0x019d0000 0x019dffff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019e0000 0x019e0000 0x019effff Pagefile Backed Memory rw True False False -
pagefile_0x00000000019f0000 0x019f0000 0x019fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001a00000 0x01a00000 0x01a0ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001a10000 0x01a10000 0x01a1ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001a20000 0x01a20000 0x01a2ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001a30000 0x01a30000 0x01a3ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001a40000 0x01a40000 0x01a4ffff Pagefile Backed Memory rw True False False -
segoeuib.ttf 0x01a50000 0x01ac9fff Memory Mapped File r False False False -
arial.ttf 0x01ad0000 0x01b8cfff Memory Mapped File r False False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b9ffff Pagefile Backed Memory rw True False False -
tahoma.ttf 0x01ba0000 0x01c4afff Memory Mapped File r False False False -
csrss.exe 0x49890000 0x49894fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
sxs.dll 0x752e0000 0x7533efff Memory Mapped File rwx False False False -
sxssrv.dll 0x75390000 0x75398fff Memory Mapped File rwx False False False -
winsrv.dll 0x753a0000 0x753cbfff Memory Mapped File rwx False False False -
basesrv.dll 0x753d0000 0x753ddfff Memory Mapped File rwx False False False -
csrsrv.dll 0x753e0000 0x753ecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #30: dllhost.exe
0 0
»
Information Value
ID #30
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:38, Reason: Injection
Unmonitor End Time: 00:00:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x980
Parent PID 0x254 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege
Thread IDs
0x A34
0x 998
0x 994
0x 990
0x 98C
0x 988
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x00177fff Pagefile Backed Memory r True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x00310fff Pagefile Backed Memory r True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x004affff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004effff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x005affff Private Memory rw True False False -
sortdefault.nls 0x005b0000 0x0087efff Memory Mapped File r False False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory rw True False False -
dllhost.exe 0x00980000 0x00984fff Memory Mapped File rwx False False False -
pagefile_0x0000000000990000 0x00990000 0x0158ffff Pagefile Backed Memory r True False False -
private_0x0000000001600000 0x01600000 0x0163ffff Private Memory rw True False False -
private_0x0000000001690000 0x01690000 0x016cffff Private Memory rw True False False -
pagefile_0x00000000016d0000 0x016d0000 0x017aefff Pagefile Backed Memory r True False False -
private_0x00000000017e0000 0x017e0000 0x0181ffff Private Memory rw True False False -
comctl32.dll 0x6e460000 0x6e4e3fff Memory Mapped File rwx False False False -
idstore.dll 0x71f30000 0x71f3dfff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
shacct.dll 0x74340000 0x7435dfff Memory Mapped File rwx False False False -
userenv.dll 0x74a30000 0x74a46fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
profapi.dll 0x75380000 0x7538afff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image